“One of the most important aspects of the recent cybersecurity executive order is also the aspect causing the most confusion.

When President Donald Trump signed the executive order in May, it included the requirement federal agencies use the NIST Cybersecurity Framework to manage their cybersecurity risk. However, some have confused the NIST CSF with the NIST Risk Management Framework, which all federal agencies have been required to follow since its 2010 introduction.

To put it succinctly, they are two different frameworks. As industry and government work together to execute this order, it is very important for everyone to fully understand the two frameworks, and how they differ.

NIST CSF Overview

The NIST CSF was released in February 2014 in response to a 2013 executive order that called for a voluntary framework of industry standards and best practices to help organizations manage cybersecurity risk.

The CSF was created as a result of collaboration between government and the private sector. It “uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses.”

The heart of the NIST CSF is the Framework Core, which consists of five functions: identify, protect, detect, respond and recover. The functions and their components aren’t a checklist of actions to be performed in order. Rather, they are concurrent and continuous activities that “provide a high-level, strategic view of the life cycle of an organization’s management of cybersecurity risk.”

Cybercrimes cost the global economy up to $500 billion annually, and can potentially result in the loss of 500,000 jobs in the United States alone.

These findings were highlighted in a report released Tuesday by the Center of Strategic and International Studies and commissioned by McAfee. Aimed at measuring real-world losses from cyberattacks, the center enlisted economists, intellectual property experts, and security researchers to develop the report. The researchers also based their estimates on comparisons to real-world analogies such as losses in car crashes, piracy, pilferage and crime, and drugs.

The generally accepted range for cybercrime losses to the global economy was between $100 billion and $500 billion, the report noted.

The researchers also found it difficult to rely on methods such as surveys cybercrime victims because companies that revealed their cyber losses often were unable to estimate what had been taken, while intellectual property (IP) losses were difficult to quantify.

Malicious cyber activities involve more than the loss of financial assets or intellectual property, as there are costs from damage to brand and reputation, consumer losses from fraud, opportunity costs of service disruptions and “cleaning up” after breaches, and the cost of increased spending on cybersecurity.

It was also difficult to quantify the cost to national security because the theft of military technology could make nations less secure, by strengthening potential opponents or harming export markets in aerospace, advanced materials, or other high-end products.

“[When it comes to cybercrime], it is often the same actors pursuing a collection plan that targets both military and commercial sources,” the report said. “We cannot accurately assess the dollar value of the loss in military technology, but we can say that cyberespionage shifts the terms of engagement in favor of foreign competitors.”

The report further estimated a total of 508,000 jobs could potentially be lost in the U.S. alone, due to cyberespionage. The CSIS’ commerce department in 2011 estimated US$1 billion in export value was equal to 5,080 jobs, which meant the high end estimate of US$100 billion in losses would translate to 508,000 lost jobs, the report explained.

“If a good portion of these jobs were high-end manufacturing jobs that moved overseas because of intellectual property losses, the effects could be more wide ranging,” James Lewis, director and senior fellow of the technology and public policy program at CSIS, and a co-author of the report, said in a statement.

The National Security Agency leaks by Edward Snowden will easily go down as one of the biggest revelations of the year, if not the decade. But the episode also raises new questions about the risk that insiders pose to government and corporate cybersecurity, in spite of the attention lavished on foreign hackers.

Snowden’s case is unique in that it uncovered a previously unknown surveillance apparatus that’s massive in size and scope.The way the whistle-blower did his deed, however, is not unique. Two-thirds of all reported data breaches involve internal actors wittingly or unwittingly bringing sensitive information to outsiders, according to industry analysts.

“It’s not an either-or proposition,” said Mike DuBose, a former Justice Department official who led the agency’s efforts on trade-secret theft. “But amidst all the concern and discussion over foreign hacking, what gets lost is the fact that the vast majority of serious breaches involving trade secrets or other proprietary or classified information are still being committed by insiders.”

DuBose is now the head of the cyber investigations unit at the risk-management firm Kroll Advisory Solutions. In February, his team authored a report warning that contractors, information-technology personnel, and disgruntled employees—all descriptors that fit Snowden pretty well—pose a greater threat than hackers, “both in frequency and in damage caused.”

Not everyone agrees. Even though insiders generally play an outsized role across all reported data breaches, their role in confirmed data breaches is rather small, according to an annual study by Verizon. In 2012, specifically, internal actors accounted for 14 percent of confirmed data breaches. Of those, system administrators were responsible for 16 percent.

However common they are, cases like Snowden’s show how devastating one insider can be. The extent of the damage depends on what’s being exfiltrated and from where, and there aren’t many standards for calculating losses. Most companies estimate the value of their trade secrets based on how much money they sank into the research and development of that knowledge. But for the government, it’s the potential security impact that takes precedence—and that turns the question into a matter of subjective debate.

Last month, The Washington Post reported that Chinese spies compromised the designs for some of the Pentagon’s most sensitive weapons systems, including the F-35 Joint Strike Fighter, the V-22 Osprey tiltrotor aircraft, and the Navy’s new Littoral Combat Ship.

If true, the report could have major consequences for national security. But Snowden’s case is equally consequential, if for different reasons, and it bolsters DuBose’s point about the relevance of insiders. Snowden may have rightfully uncovered evidence of government overreach, but if a mid-level contractor can steal top-secret information about the NSA and give it to the public in a gesture of self-sacrifice, someone else could do the same—but hand the intelligence to more nefarious actors.

WASHINGTON — The United States and China have agreed to hold regular, high-level talks on how to set standards of behavior for cybersecurity and commercial espionage, the first diplomatic effort to defuse the tensions over what the United States says is a daily barrage of computer break-ins and theft of corporate and government secrets.

The talks will begin in July. Next Friday, President Obama and President Xi Jinping of China, who took office this spring, are scheduled to hold an unusual, informal summit meeting in Rancho Mirage, Calif., that could set the tone for their relationship and help them confront chronic tensions like the nuclear threat from North Korea.

American officials say they do not expect the process to immediately yield a significant reduction in the daily intrusions from China. The head of the United States Cyber Command and director of the National Security Agency, Gen. Keith B. Alexander, has said the attacks have resulted in the “greatest transfer of wealth in history.” Hackers have stolen a variety of secrets, including negotiating strategies and schematics for next-generation fighter jets and gas pipeline control systems.

Nonetheless, a senior American official involved in the negotiations to hold regular meetings said in an interview on Friday that “we need to get some norms and rules.”

“It is a serious issue that cannot simply be swatted away with talking points,” said the official, who noted that the meetings would focus primarily on the theft of intellectual property from American companies. “Our concerns are not limited to that, but that’s what needs urgent attention,” he added.

The Chinese government has insisted it is a victim of cyberattacks, not a perpetrator, and Chinese officials have vigorously denied the extensive evidence gathered by the Pentagon and private security experts that a unit of the People’s Liberation Army, Unit 61398 outside Shanghai, is behind many of the most sophisticated attacks on the United States.

On Saturday, after Defense Secretary Chuck Hagel spoke of a “growing threat of cyberintrusions” at a conference in Singapore, in comments directed at China, a Chinese general gave a tart response saying she doubted the United States’ assurances that its growing military presence in Asia was not directed at China.

While cyberattacks will be a major subject of the talks in Rancho Mirage, at an estate that belonged to Walter Annenberg, the main effort will be to forge a rapport between Mr. Obama and Mr. Xi. American officials hope the estate, known as Sunnylands, which has played host to American presidents and foreign dignitaries dating to Richard M. Nixon, will put both men at ease.

American officials said they have been surprised by the pace at which Mr. Xi, a longtime party functionary who consolidated his grip on power in March, has installed new faces in the Chinese leadership and moved to take greater control over the military, something his predecessor, Hu Jintao, never mastered.

Another main issue at the meeting will be North Korea. American officials, emerging from talks with Mr. Xi and his team, believe that the new Chinese leader has less patience for North Korea and little of the sentimental attachment to its leaders that his predecessors had.

“What’s interesting here is the dog that isn’t barking,” the American official said. The Chinese, he noted, are not urging all sides to resume talks until the North Koreans agree that the objective is removing all nuclear weapons from the Korean Peninsula. “We’re not hearing the soothing mantra of restraint,” he said.

The Chinese have also taken public steps to confront North Korea, like ordering the Bank of China to stop dealing with North Korea’s largest foreign-exchange bank.

“They’re much more open to causing pain to North Korea,” said Jeffrey A. Bader, a top China adviser to Mr. Obama until 2011.

Still, during the latest round of the Korea crisis this spring, Kim Jong-un, the young and largely untested new North Korean leader, made it clear that he had no intention of ever giving up his small arsenal.

Cybersecurity issues loom large between the United States and China because they go to the heart of the economic relationship between the two countries, even more so now that previous sources of friction, like China’s foreign exchange policies, have eased in the last year.

Chinese academics and industrialists say that if China is to maintain its annual economic growth rate of 7 or 8 percent, it needs a steady inflow of new technology. That could make the Chinese reluctant to cut back on the systematic theft of intellectual property.

In return, the Chinese will press the Americans on their use of cyberweapons: while there is no evidence that they have been used against Chinese targets, the sophisticated cyberattacks on Iran’s nuclear program by the United States and Israel are often cited by the Chinese news media and military journals as evidence that Washington, too, uses cyberspace for strategic advantage.

The talks over computer hacking will start as part of the Strategic and Economic Dialogue, an annual meeting of Chinese and American officials on a broad range of issues. But a new working group is being organized on the subject that will meet more frequently, officials say.

Where the talks will lead, however, is unclear: after considerable debate within the Obama administration, officials have concluded that online conflict does not lend itself to the kind of arms control treaties that the United States and the Soviet Union began negotiating 50 years ago. Today, cyberweapons are held by private individuals as well as states, and figuring out where an attack began can be maddeningly difficult.

Another problem, China experts said, is that neither the Americans nor the Chinese are well prepared for a candid discussion of cyberissues. The growth of hacking, and its use in both military and corporate espionage, is a new enough phenomenon that it is not clear how seriously Mr. Xi and other senior Chinese leaders view it.

Tung Chee-hwa, a former chief executive of Hong Kong who has close ties to China’s leaders, said recently that when he raises the American concerns about hacking with senior officials in Beijing, they express puzzlement.

And neither side, experts said, is ready to discuss military espionage, which means the conversation will necessarily focus on the theft of corporate secrets by China-based hackers. On that subject, they said, Mr. Obama needs to be unyielding.

“Obama has got to say, ‘You’ve got a major hacking operation under way in Beijing, you’ve got a major hacking operation under way in Shanghai. This is going to have repercussions if we don’t see changes very quickly,’ ” said Kenneth G. Lieberthal, a China adviser in the Clinton administration who is now at the Brookings Institution.

China and the United States, experts say, could find common ground on the need to stop cyberattacks on critical national infrastructure, like the electrical grid, since it poses such a danger to both countries. “I personally think a bilateral ‘no sabotage’ pledge would be a very good idea,” Mr. Bader said.

Demand for cybersecurity professionals continues to climb, and while overall pay for security staff dipped slightly this year, cyber pros are still earning more than their counterparts in general IT jobs, according to a new survey.

InformationWeek’s 2013 Salary Survey of 682 IT security professionals found the strong market for cyber professionals has nearly erased the gender gap when it comes to pay. The median staff salary declined $2,000, to $95,000, in 2013, while management salaries increased to $120,000, up $5,000 from the previous year.

Those figures are significantly higher than those for general IT staff and management, each which increased $2,000 in 2013, to $87,000 and $110,000, respectively, the survey found.

In addition, the survey showed very little disparity when it comes to comparing salaries for men and women in IT security jobs. While male security staffers still make $2,000 more per year than the average female IT security pro, those in management positions held the same average salary ($120,000), regardless of gender.

Cybersecurity professionals also tend to be very satisfied with their jobs, with 63 percent of respondents saying they are satisfied or very satisfied with all aspects of their jobs.

But despite high job satisfaction among cybersecurity professionals, many indicate that they will likely leave their jobs soon. The opportunity for higher pay was the top reason for leaving among 68 percent of staff and 73 percent of managers, the study found.

“George, for example, loves working for his federal agency but will likely leave soon – the competitive pay and benefits offered by the private sector make it hard for the government to compete,” the report states.

Surprisingly, however, security professionals have some reservations about their job security. Eighty-nine percent of IT security staffers said they feel at least somewhat secure in their jobs, down from 92 percent in 2012, and 92 percent of security managers feel secure, down from 93 percent last year. This is largely due to the uncertainty about government funding and the sequester, and/or because of the high expectations to prevent attacks and keep skills up to date, the survey found.

Finally, certifications also continue to be an asset for cybersecurity professionals, with staff members holding certifications making $12,000 more and managers making $10,000 more in base salary than their noncertified counterparts, the study found.

But while certifications were an asset, education may be a barrier to getting a cybersecurity job, an expectation some organizations may have to overcome if it is meet the demand for cyber professionals, the survey states. The Homeland Security Department’s Task Force on CyberSkills is looking to use junior and community colleges in combination with 2,000 hours of on-the-job training to bring potential workers without a definitive degree up to the levels where they can defend a network from attack, according to the report.

“While certifications are needed to get past the HR filters, hiring professionals who continue to educate themselves is important,” the report states. “After all, attackers don’t care about that piece of paper.”

SEATTLE — Disclosures last week about network intrusions at the New York Times and the Federal Reserve demonstrate that some companies have begun taking progressive steps to detect – and limit damage – from persistent cyberintruders.

Thieves and spies are hacking into company networks as intensively as ever. But some large organizations are starting to limit the damage they can do, once inside. Information about successful defense strategies are being more widely shared for the greater good.

“If you stop the bad actor from taking action on his or her objective, you win,” says Steve Adegbite, director of cybersecurity at defense giant Lockheed Martin.

In the past 18 months, U.S. companies and agencies have more readily acknowledged that breaches are occurring daily and have moved to update systems for detecting persistent intruders and limiting the damage they can do, security experts say.

The New York Times hired forensics firm Mandiant, which used military-style counter-intelligence tactics to detect and cripple intruders, who appeared to be based in China. The paper then surprised many in the security community by sharing details of Mandiant’s findings.

“It’s turning a page,” says Kurt Baumgartner, senior security analyst at Kaspersky Lab. “They immediately disclosed what the attackers were looking for, down to the reporters’ material the attackers were hunting.”

A day after the Times disclosure, The Wall Street Journal announced that it, too, detected and blocked network intruders, who also appeared to originate from China. Last Thursday, the Federal Reserve disclosed a breach of one of its internal websites. The hacking collective Anonymous claimed responsibility for the hack. The intruders got access to emergency contact information for 4,000 banking executives. But the agency said no critical operations were affected.

Those cases illustrate how companies and agencies are focusing on tactics to flush out intrusions in progress and prevent attackers from accessing the most valuable intellectual property, says Eddie Schwartz, chief information security officer at security firm RSA.

“There is a growing awareness that organizations are under constant attack in terms of nation-state espionage, organized criminal theft and hacktivist action and that they must implement equally advanced and committed defenses,” says Schwartz.

Security analysts hope that other breached organizations, led by the Times’ example, share detailed intelligence about both successes and failures in defending against cyberintruders.

“It’s like being at an Alcoholics Anonymous meeting — first you have to acknowledge you have a problem,” says Gunter Ollmann, chief technology officer at security consultancy IOActive.

Chris Petersen, chief technology officer at tech systems provider LogRhythm, cautions that cybercrime has become a rich and resilient global industry that won’t soon relent. “The motivations driving malicious cyberactivities continue to rise,” he says. “There is money to be made, points to get across and war to wage.”

Earlier this week, Sophos released the latest edition of its Security Threat Report, summing up the biggest threats seen during 2012, along with five trends that are likely to factor into IT security in the coming year.

Regarding the malware rides we experienced in 2012 and the thrills we can expect in 2013, there will be cross-over, for sure: Blackhole was huge in 2012, and it’s not going away, barring the law nailing the person/s running it, the report notes.

Between October 2011 and March 2012, out of all threats detected by SophosLabs, nearly 30% either came from Blackhole directly or were redirects to Blackhole kits from compromised legitimate sites, as Naked Security’s coverage of Blackhole exploits attests.

This adroit exploit kit rapidly mutates to thwart security efforts against it, while its software-as-a-service business model is, as the report notes, something for business school grads to drool over.

The professionalization of crimeware such as Blackhole marks a major shift as we head into the new year.

Many people rely heavily on the internet for running their daily lives. And every day, the number of internet-dependent people increases. From studying, socializing or shopping, many technologically savvy individuals use their computers or mobile devices to run errands and to entertain themselves. While technology has vastly improved our lives, countless dangers lurk on the internet. Cybercrime is on the rise and has already affected many individuals and companies.

Stu Sjouwerman, founder of KnowBe4, a site dedicated to cyber security awareness and training, stated that it has been a challenge to compete with the dynamic “industry” of cybercrime, but it is a challenge that Sjouwerman welcomes.

“There are people in Eastern Europe who go to work, punch the clock, work all day, get health benefits, leave at 5 p.m., and what they do is steal your identity or hack into your network,” Sjouwerman said.

Cybercrime has completely professionalized over the last few decades, in contrast to when only a handful of individuals had the time and money to hack into systems.

While cybercrime evolves into a larger industry, some people have yet to adapt. They are not aware of Sjouwerman’s number one rule in cyber security, “There is no security.”

Additional layers of good security can alleviate an individual’s stress regarding cyber-attacks, but security is no good replacement for human vigilance. It only takes one human error to let criminals into the system.

Professor Sean Peisert, a research computer scientist from the Lawrence Berkeley National Laboratory and a faculty member of the UC Davis Computer Security Lab, said that most anti-virus or anti-malware software only protects from known threats. As long as a hacker has enough time and resources, he or she can crack through any security system by creating something that security programs have not been programmed to deal with yet.

However, various computer and internet security companies and programmers adapt quickly in response to the challenge, studying from past hackers. Some computer security programmers work directly with hackers to improve security. For example, KnowBe4 has worked together with infamous computer hacker Kevin Mitnick. Mitnick was one of the first true computer hackers, breaking into company networks belonging to Motorola, NEC, Nokia, Sun Microsystems, Fujitsu and Siemens.

As for UC Davis, the busy people of the UC Davis Cyber-safety Program and the UC Davis Computer Security Lab work for better internet security.

The professors involved in the UC Davis Computer Security Lab explore and research various areas of internet security. Some, like Professor Hao Chen, work with mobile computing and mobile app security, while others, like Professor Karl Levitt, work on a variety of projects from intrusion detection to network tracking, and even election security.

Professor Peisert helped with the cyber attacks on the San Diego Supercomputer Center perpetrated by “Stakkato,” the alias of a group of hackers who broke into systems belonging to the U.S. Military, White Sands Missile Range, NASA and multiple universities.

He often looks at certain aspects of internet security, such as how people hide personal information. In addition, he is interested in computer security education, which includes teaching robust coding, a class of software in which the program can respond elegantly to unknown situations instead of crashing.

“Campus folk are good with security,” Bishop noted when asked about UC Davis’ status.

In the frontline for UC Davis’ cyber security is Robert Ono, IT security coordinator of the UC Davis Cyber-safety Program. Currently, the campus staff upholds the adopted Cybersecurity policy of 2005 through governance models and stringent security standards for campus network devices. While maintaining the program’s website and handling security risks, Ono oversees campus security training.

“A biennial security symposium [hosting] hands-on training and lecture seminars for technologists,” Ono said, is one of the methods for training new staff.

Along with the symposium, training includes log management, threat management and coding techniques.

Although there are companies, professors and staff all working hard to improve cyber security, they provide steps and advice to help the general public to protect themselves.

“Make sure you patch your computer and applications. If there is an update, do the update. Last but not least, use strong passwords and for god’s sake don’t use the same password all over the place,” Sjouwerman said.

Bishop gave an apt analogy regarding passwords.

“Use common sense. Realize that there are nasty folks on the internet. You wouldn’t give your car keys to someone you didn’t know very well, and you shouldn’t do the same with your password.”

Peisert said computer owners don’t need to buy loads of security software, since most end up ignoring the security alerts anyway.

“So, rule number one is back up your systems: Time Machine, CrashPlan, BackBlaze, Mozy, Dropbox and others are simple, inexpensive means for doing this.”

Ono suggested that the public “identify files on [their] computer that contain personal identity information (e.g. your name, Social Security number or credit card/financial account number) and remove the files if at all possible. There are free tools for personal use, such as IdentityFinder, that are available for scanning your Mac and Windows computer(s) for identity information.”

The overall lesson is this: practice caution and be wary, but do not be too paranoid since the internet is still a wonderful tool.

It’s not a well-kept secret, either. Just a simple string of characters—maybe six of them if you’re careless, 16 if you’re cautious—that can reveal everything about you.

Your email. Your bank account. Your address and credit card number. Photos of your kids or, worse, of yourself, naked. The precise location where you’re sitting right now as you read these words. Since the dawn of the information age, we’ve bought into the idea that a password, so long as it’s elaborate enough, is an adequate means of protecting all this precious data. But in 2012 that’s a fallacy, a fantasy, an outdated sales pitch. And anyone who still mouths it is a sucker—or someone who takes you for one.

No matter how complex, no matter how unique, your passwords can no longer protect you.

Look around. Leaks and dumps—hackers breaking into computer systems and releasing lists of usernames and passwords on the open web—are now regular occurrences. The way we daisy-chain accounts, with our email address doubling as a universal username, creates a single point of failure that can be exploited with devastating results. Thanks to an explosion of personal information being stored in the cloud, tricking customer service agents into resetting passwords has never been easier. All a hacker has to do is use personal information that’s publicly available on one service to gain entry into another.

This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well—but the three accounts were linked, so once the hackers had conned their way into one, they had them all. They really just wanted my Twitter handle: @mat. As a three-letter username, it’s considered prestigious. And to delay me from getting it back, they used my Apple account to wipe every one of my devices, my iPhone and iPad and MacBook, deleting all my messages and documents and every picture I’d ever taken of my 18-month-old daughter.

Since that awful day, I’ve devoted myself to researching the world of online security. And what I have found is utterly terrifying. Our digital lives are simply too easy to crack. Imagine that I want to get into your email. Let’s say you’re on AOL. All I need to do is go to the website and supply your name plus maybe the city you were born in, info that’s easy to find in the age of Google. With that, AOL gives me a password reset, and I can log in as you.

First thing I do? Search for the word “bank” to figure out where you do your online banking. I go there and click on the Forgot Password? link. I get the password reset and log in to your account, which I control. Now I own your checking account as well as your email.

This summer I learned how to get into, well, everything. With two minutes and $4 to spend at a sketchy foreign website, I could report back with your credit card, phone, and Social Security numbers and your home address. Allow me five minutes more and I could be inside your accounts for, say, Amazon, Best Buy, Hulu, Microsoft, and Netflix. With yet 10 more, I could take over your AT&T, Comcast, and Verizon. Give me 20—total—and I own your PayPal. Some of those security holes are plugged now. But not all, and new ones are discovered every day.

The common weakness in these hacks is the password. It’s an artifact from a time when our computers were not hyper-connected. Today, nothing you do, no precaution you take, no long or random string of characters can stop a truly dedicated and devious individual from cracking your account. The age of the password has come to an end; we just haven’t realized it yet.

Passwords are as old as civilization. And for as long as they’ve existed, people have been breaking them.